Triggering saving to the SDCard with intents opens a security hole

[GoogleCodeExporter]

What steps will reproduce the problem?
0. Write an app *without* the READ_LOGS permission
1. Have the app send a 'start logging' intent to aLogCat
2. Have the app send a 'save to the sdcard' intent to aLogCat
3. Have the app read the log from the sdcard

What is the expected output? What do you see instead?

The expected result if you don't have permission to read logs is that you 
shouldn't be able to read the logs.  Instead, it appears you're able to read 
the logs by getting aLogCat to read them for you and then leave them where they 
can be read by anyone.

Please provide any additional information below.

This is not the first bug of this kind found.  See 
http://arstechnica.com/tech-policy/news/2011/11/researchers-find-big-leaks-in-pr
e-installed-android-apps.ars for similar security holes.

Potential solutions:
  i) Have an option to turn on and off those intent receivers in aLogCat.
  ii) Have a new permission required to send those intents.  Better still, require the app sending the intents to have the READ_LOGS permission to send the intents - that way you don't have to worry about dealing with new permissions.  See http://developer.android.com/guide/topics/security/security.html#manifest
  iii) An option that combines i) and ii): Have an option in aLogCat that allows you to specify who can send the events.  Anyone, apps with log viewing permissions, or no-one.  This is more complex than ii), or even i) and ii) together, as it requires turning on and off the required permissions programatically with Context.registerReceiver() rather than just adding a line to manifest as option ii) would.

Original issue reported on code.google.com by will.ut...@gmail.com on 29 Dec 2011 at 6:04

[GoogleCodeExporter]

The following patch compiles.  I haven't checked that it actually solves the 
issue.  It implements option ii).

Original comment by will.ut...@gmail.com on 29 Dec 2011 at 6:26

Attachments:

• permission.patch